[CERT-daily] Tageszusammenfassung - 19.08.2020

Wed Aug 19 18:34:53 CEST 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 18-08-2020 18:00 − Mittwoch 19-08-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ FritzFrog malware attacks Linux servers over SSH to mine Monero ∗∗∗
---------------------------------------------
A sophisticated botnet campaign named FritzFrog has been discovered breaching SSH servers around the world, since at least January 2020.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-linux-servers-over-ssh-to-mine-monero/


∗∗∗ Example of Word Document Delivering Qakbot, (Wed, Aug 19th) ∗∗∗
---------------------------------------------
Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I'll cover today has been reported by one of our readers (thanks to him) and deserves a quick analysis of the obfuscation used by the attackers. It is not available on VT at this time (SHA256:507312fe58352d75db057aee454dafcdce2cdac59c0317255e30a43bfa5dffbc)
---------------------------------------------
https://isc.sans.edu/diary/rss/26482


∗∗∗ CDN-Filestore Credit Card Stealer for Magento ∗∗∗
---------------------------------------------
During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog post earlier this year. Malware Evolution & Evasive Techniques One primary difference between this new version and theone Luke wrote about in April is that it was not packed. This detail suggests that the attackers updated the malware in an [...]
---------------------------------------------
https://blog.sucuri.net/2020/08/cdn-filestore-credit-card-stealer-for-magento.html


∗∗∗ Voice Phishers Targeting Corporate VPNs ∗∗∗
---------------------------------------------
The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees.
---------------------------------------------
https://krebsonsecurity.com/2020/08/voice-phishers-targeting-corporate-vpns/


∗∗∗ Angriff der Insta‑Klone ∗∗∗
---------------------------------------------
Unser Autor macht den Test: Mit einem geklonten Social-Media-Account und psychologischem Geschick lassen sich seine Kontakte ausnutzen und Betrügen. Vorsicht ist angesagt.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2020/08/18/angriff-der-insta-klone/


∗∗∗ 10 WordPress Security Mistakes You Might Be Making ∗∗∗
---------------------------------------------
Yesterday, August 18, 2020, the Wordfence Live team covered 10 WordPress Security Mistakes You Might be Making. This companion blog post reviews the recommendations we provided to avoid these mistakes and better secure your WordPress environment.
---------------------------------------------
https://www.wordfence.com/blog/2020/08/10-wordpress-security-mistakes-you-might-be-making/


∗∗∗ Ongoing Campaign Uses HTML Smuggling for Malware Delivery ∗∗∗
---------------------------------------------
An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports. Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code.
---------------------------------------------
https://www.securityweek.com/ongoing-campaign-uses-html-smuggling-malware-delivery


∗∗∗ Zahlreiche Meldungen zu hilufon.de, applefy.de und coyshop.de ∗∗∗
---------------------------------------------
Auf den unterschiedlichen Websites der appl handels ug werden und wurden diverse iPhone Modelle angeboten. Es handelt sich dabei um gebrauchte Geräte. Zahlreiche InternetuserInnen wenden sich jedoch an die Watchlist Internet und klagen über ausbleibende oder stark verspätete Lieferungen und andere Probleme mit dem Anbieter. Auch auf Bewertungsportalen zeigt sich ein ähnliches Bild.
---------------------------------------------
https://www.watchlist-internet.at/news/zahlreiche-meldungen-zu-hilufonde-applefyde-und-coyshopde/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (imagemagick and ruby-websocket-extensions), Fedora (libetpan, LibRaw, and php), Gentoo (nss), Mageia (apache, ark, clamav, claws-mail, dovecot, firefox, firejail, freerdp, golang, jasper, kernel, libssh, libx11, postgresql-jdbc, python-rstlib, radare2, roundcubemail, squid, targetcli, thunderbird, tomcat, and x11-server), Red Hat (rh-mysql80-mysql), SUSE (dovecot22, freerdp, libvirt, and postgresql12), and Ubuntu (curl and linux-hwe, linux-azure-5.3, [...]
---------------------------------------------
https://lwn.net/Articles/829102/


∗∗∗ Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks ∗∗∗
---------------------------------------------
Security researchers at IBM have discovered a potentially serious vulnerability in a communications module made by Thales for IoT devices. Millions of devices could be impacted, but the vendor released a patch six months ago.
---------------------------------------------
https://www.securityweek.com/vulnerability-thales-product-could-expose-millions-iot-devices-attacks


∗∗∗ Security Advisory - Denial of Service Vulnerability in SmartPhone Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-01-smartphonedos-en


∗∗∗ Security Bulletin: Vulnerability identified in docker for Red Hat Enterprise Linux ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-identified-in-docker-for-red-hat-enterprise-linux/


∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2020-4303, CVE-2020-4304) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-ibm-websphere-application-server-liberty-vulnerabilities-cve-2020-4303-cve-2020-4304/


∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server GUI where authorised user can execute unauthorized function (CVE-2020-4378) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-elastic-storager-server-gui-where-authorised-user-can-execute-unauthorized-function-cve-2020-4378/


∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – OpenSSL (CVE-2019-1551) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-openssl-cve-2019-1551/


∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2019-11254) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-kubernetes-vulnerability-cve-2019-11254/


∗∗∗ Security Bulletin: Vulnerability in GNU gettext affects IBM Spectrum Protect Plus (CVE-2018-18751) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gnu-gettext-affects-ibm-spectrum-protect-plus-cve-2018-18751-2/


∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by cross-site scripting (CVE-2020-4358) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-server-gui-is-affected-by-cross-site-scripting-cve-2020-4358/


∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-17573) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-an-ibm-websphere-application-server-liberty-vulnerability-cve-2019-17573/


∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerabilities-from-kernel-affect-ibm-netezza-host-management-4/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cloud-private-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily